On 16 September 2014 21:08, Gareth France <[email protected]> wrote:
> Not ubuntu related but I'm hoping someone may have the answer I need.
> Today I discovered my webspace has been hacked and several sites now
> contain additional code at the start of every single PHP file. Looking at
> my backups I can see it has been there for a while so restoring from a
> very old backup could cause me issues.
>
> Is there some way I could do a recursive find and delete on that code? It
> is a very long single line including slashes, hashes, exclaimation marks
> etc so using sed would be difficult as the examples I have seen show /thing
> to change/thing to change to/.
>
> Any ideas very welcome.
>
>
find . -name "*.php" -exec grep -e "(string)" {} \;
from your document root will find the string A guess would be that the
added code is actually base64 so there will be an eval() or base64() at the
start of it. You should also be able to use just a fragment of the string.
Look at what egrep or grep -e can do to return the actual injected code and
you could then pass that to sed using xargs and delete it, but the simple
truth is that it's going to be a bind. You also have to identify where the
injection was and get rid of it or it will just happen again.
s/
--
Twitter: @sfgreenwood
"TBA are particularly glib"
--
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/
